Description:
mysql will only read the first certificate from a server or client certificate file.  This fails to support standard arrangements for using chained certificates (ie, those signed by an intermediate certificate authority rather than directly by a root authority).  It is possible to work around this by listing the intermediate authorities as fully trusted in the ssl-ca file, but that's not the recommended way to do things, because they aren't really trust anchors.  The intermediate authorities' certs ought to be appended to the certificate file, instead.

How to repeat:
Try to use an SSL cert file that contains an indirectly-signed certificate followed by the cert of the intermediate certificate authority.  This should work, and does with most other SSL-using daemons.

Suggested fix:
In an OpenSSL build, the fix is trivial:

diff -Naur mysql-5.1.47.orig/vio/viosslfactories.c mysql-5.1.47/vio/viosslfactories.c
--- mysql-5.1.47.orig/vio/viosslfactories.c	2010-05-06 11:28:07.000000000 -0400
+++ mysql-5.1.47/vio/viosslfactories.c	2010-05-26 23:23:46.000000000 -0400
@@ -100,7 +100,7 @@
 		       (long) ctx, cert_file, key_file));
   if (cert_file)
   {
-    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+    if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
     {
       *error= SSL_INITERR_CERT;
       DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));

However, you'd also want to fix yassl to be able to read more than one cert from a cert file, and that's a bit less trivial.

I confirm that. 5.5.10 MySQL yassl build still does not support fetching intermediate ca-s to the client.

Does the text in (http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html) ("6.3.9.4. SSL Command Options" of "MySQL 5.6 Reference Manual":

[BEGIN QUOTE]
MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the --ssl-capath option.
[END QUOTE]

Does this mean that yaSSL and OpenSSL can now both be used with complete chains on a MySQL server?

Due to removal of yassl[1], it should be possible to fix this issue in MySQL 8.0.

[1]: https://mysqlserverteam.com/mysql-8-0-4-openssl-and-mysql-community-edition/

I thought YaSSL wasn't going to be removed in 8.0.x. Having OpenSSL as default for both community edition and enterprise edition doesn't change this for those who compile MySQL themselves with YaSSL.

Hi Daniël!

I am sorry, my mistake, you are right, yassl is present in mysql sources, so problem still remains.

https://bugs.mysql.com/bug.php?id=80698 marked as duplicate of this one.

As YaSSL and WolfSSL support is now gone I think it is time to close this bug (providing it is fixed by using OpenSSL)

As of 22 October 2019, it looks like the remaining OpenSSL code on (at least) the 5.7 branch has not been updated to leverage certificate chains:

https://github.com/mysql/mysql-server/blob/5.7/vio/viosslfactories.c

Due to this, I can only validate my server certificate to the first intermediate in my chain when using MySQL Connector/J.

Posted by developer:
 
Fixed as of the upcoming MySQL Server 8.0.30 release, and here's the proposed changelog entry from the documentation team:

Extended support for chained SSL certificates.

Thank you for the bug report.

The --ssl-cert documentation was also updated to reflect this change.